PHPCMS various injection vulnerability patches

1. Wide byte injection vulnerability

/phpcms/modules/pay/respond.php Location is about 16 Line

original code

$payment = $this->get_by_code($_GET['code']);

is replaced with

$payment = $this->get_by_code(mysql_real_escape_string($_GET['code']));

2. phpcms injection vulnerability

/phpcms/modules/poster/poster .php position is about 221 lines after

if ($_GET['group']) {

, add

$_GET['group'] = preg_replace('#`#', '', $_GET['group']);

3, phpcms front-end injection leads to arbitrary file reading vulnerability patch

/phpcms/ modules/content/down.php

(1) Replace line 17

parse_str($a_k);

with

$a_k = safe_replace($a_k); parse_str($a_k);

(2) Line 89

parse_str($a_k);

Replace with

$a_k = safe_replace($a_k); parse_str($a_k);

(3) and add

$filename = date('Ymd_his').random(3).'.'.$ext;

# after line 120 of position 3.

$fileurl = str_replace(array('<','>'), '',$fileurl);

4, phpcms injection vulnerability

/phpcms/modules/member/index.php is located at about 615 lines

Original code:

$password = isset($_POST['password']) && trim($_POST['password']) ? trim($_POST['password']) : showmessage(L('password_empty'),HTTP_REFERER);

Replaced with:

$password = isset($_POST['password']) && trim($_POST['password']) ? addslashes(urldecode(trim($_POST['password'] ))) : showmessage(L('password_empty'), HTTP_REFERER);

5, PHPCMS V9.6.2 SQL Injection vulnerability

(1) phpcms/libs/classes/param.class.php is located at about line 109

The original code

$value = isset($_COOKIE[$var]) ? sys_auth($_COOKIE[$var], 'DECODE') : $default;

is replaced with

$value = isset($_COOKIE[$var])?addslashes(sys_auth($_COOKIE[$var],'DECODE')):$default;

(2)/phpsso_server/phpcms/libs/classes/param.class.php is located at about 108 lines

The original code

return isset($_COOKIE[$var]) ? sys_auth($_COOKIE[$var], 'DECODE') : $default;

is replaced with

return isset($_COOKIE[$var]) ? addslashes(sys_auth($_COOKIE[$var],'DECODE')) : $default;

6. A logical problem somewhere in phpcms caused getshell

/phpcms/libs/classes/attachment.class.php to be located at line 143 of

function download($field, $value,$watermark = '0',$ext = 'gif|jpg|jpeg|bmp|png', $absurl = '', $basehref = ''){

followed by

$extArray=explode('|',$ext); if(!empty($extArray) && is_array($extArray)){ foreach($extArray as $k => $v){ if(!in_array(strtolower($v), array('gif','jpg','jpeg','bmp','png'))); exit('0');//循环判断如果 有一个不符合，直接返回 0 } }

In this way, add a judgment. If the allowed file formats are 'gif', 'jpg', 'jpeg', 'bmp', 'png', continue, otherwise it will jump out. Of course, the formats here can be increased as needed. several.

7. phpcms injection vulnerability

/api/phpsso.php is located at about 128 lines

The original code

$arr['uid'] = intval($arr['uid']); $phpssouid = $arr['uid'];

is replaced by , two-in-one code

$phpssouid = intval($arr['uid']);

8. phpcms authkey generation algorithm problem leads to authkey leakage

Follow the following function to regenerate the key value, and then find caches/configs Just replace the two parameters in /system.php and it will be ok

'; echo random(32, 'phpssoauthkey');exit; ?>

PHP Chinese website, a large number of freePHPCMS tutorials, welcome to learn online!

The above is the detailed content of PHPCMS various injection vulnerability patches. For more information, please follow other related articles on the PHP Chinese website!